twilio-ruby icon indicating copy to clipboard operation
twilio-ruby copied to clipboard

Published 20 hours ago verified publisher icon twilio

RequestValidator marks valid signature invalid when having multiple values attached to one parameter

Open hugo-netcraft opened this issue 1 year ago • 1 comments

Issue Summary

Same issue as https://github.com/twilio/twilio-python/issues/613

But to summarize, when Autopilot assigns a Field multiple values, the signature will be marked as invalid, due to the incorrect formatting of the string which is encrypted.

The proper format for the string should be the same as whats described in https://github.com/twilio/twilio-python/issues/613#issuecomment-1212975683

However there one slight issue with the recommended setup for ruby which will currently make it impossible to validate the signature. As seen in the Exception log, the Field_number_Value only has one value set, which means that sinatra is incorrectly setting parameter.

I am filing the issue here because even if sinatra did give some form of array output, there is nothing in the code I can find to suggest anything that accounts for this possibility. Plus Twilio shouldn't be recommending this software if it doesn't fully support all of its features. I copied the code for formatting the parameters and tried it on an example:

params = Hash["something" => 1, "array" => Array[24,48,9]]

data = params.sort.join

print(data)

And got the output array24489something1 which is the incorrect format

Steps to Reproduce

  1. Setup the bot described in https://github.com/twilio/twilio-python/issues/613
  2. Setup sever below
  3. Check a valid signature is given when giving "6 hi hi" as the input
  4. Run the server, using "6 hi 4 hi 3" as the input

Code Snippet

Server setup:

require 'sinatra'
require 'twilio-ruby'

post '/autopilot' do
    content_type :json

    @params = params
    p @params
    auth_token = '*********************************'
    sig = request.env["HTTP_X_TWILIO_SIGNATURE"]
    validator = Twilio::Security::RequestValidator.new(auth_token)
    url = 'https://******************************.eu.ngrok.io/autopilot'
    if validator.validate(url, params, sig)
        print "Valid signature\n"
    else
        print "Invalid signature\n"

    { :actions => [ { :say => "Hello" } ]}.to_json
end

Exception/Log

{"CurrentTask"=>"numbers", "Field_number_Value"=>"3", "Memory"=>"{\"twilio\":{\"chat\":{\"ChannelSid\":\"CHXXXXXXXXXXXXXXXXXXXXXXXX\",\"AssistantName\":\"\",\"Attributes\":{},\"ServiceSid\":\"IS100258ed6533477db9e6cd6d601bfdf7\",\"Index\":89,\"From\":\"\",\"MessageSid\":\"IMXXXXXXXXXXXXXXXXXXXXXXXX\"}}}", "Channel"=>"chat", "NextBestTask"=>"", "CurrentTaskConfidence"=>"1.0", "AccountSid"=>"ACXXXXXXXXXXXXXXXXXXXXXXXX", "CurrentInput"=>"6 hi 4 hi 3", "DialogueSid"=>"UKXXXXXXXXXXXXXXXXXXXXXXXX", "DialoguePayloadUrl"=>"https://autopilot.twilio.com/v1/Assistants/UAXXXXXXXXXXXXXXXXXXXXXXXX/Dialogues/UKXXXXXXXXXXXXXXXXXXXXXXXX", "AssistantSid"=>"UAXXXXXXXXXXXXXXXXXXXXXXXX", "Field_number_Type"=>"Twilio.NUMBER", "UserIdentifier"=>""}
Invalid signature

Technical details:

  • twilio-ruby version:
  • ruby version:

hugo-netcraft avatar Aug 12 '22 11:08 hugo-netcraft

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog (ref: DI-2305)

claudiachua avatar Aug 17 '22 16:08 claudiachua